Fetch allows JavaScript to set headers, except those that that are "forbidden request-headers" under the specification. This specification says:
Redirect-Origin provides browser-verified origin authentication.
These contradict. The origin authentication cannot be browser-verified, if it can be set from JavaScript via the Fetch API.
The typical thing here is to use the "Sec-" prefix. All headers with the Sec- and Proxy- prefixes are forbidden request-headers. This rule also provides backwards compatibility as it ensures that newly introduced forbidden request-headers are forbidden in older browser. So, you probably want to rename Request-Origin to Sec-Request-Origin, at least.
Fetch allows JavaScript to set headers, except those that that are "forbidden request-headers" under the specification. This specification says:
These contradict. The origin authentication cannot be browser-verified, if it can be set from JavaScript via the Fetch API.
The typical thing here is to use the "Sec-" prefix. All headers with the Sec- and Proxy- prefixes are forbidden request-headers. This rule also provides backwards compatibility as it ensures that newly introduced forbidden request-headers are forbidden in older browser. So, you probably want to rename
Request-OrigintoSec-Request-Origin, at least.